Device for reliable signal generation

ABSTRACT

A device for reliably generating signals in a motor vehicle, having a control arrangement which is supplied at least one control signal, the control arrangement generating a trigger signal as a function of the control signal in order to trigger at least one switching element or driver. The control arrangement includes an emergency-operating arrangement which, in an emergency operation, generates the trigger signal as a function of at least the one control signal, a testing arrangement being provided, which tests the operativeness of the emergency-operating arrangement by selective triggering.

FIELD OF THE INVENTION

The present invention relates to electronic circuits, and relates inparticular to a device for reliably generating signals.

BACKGROUND INFORMATION

German Published Application No. 100 11 410 describes a device forreliably generating signals, where signals critical with regard tosafety can be generated, on one hand, by a microcontroller and, on theother hand, by an emergency-operation circuit path, independently of themicrocontroller, in the case of a fault of the microcontroller. Thisincreases the reliability of generating a safety-related signal.However, selective monitoring for the correct functioning of thecomponents involved is not provided.

SUMMARY OF THE INVENTION

A device according to the present invention for reliably generatingsignals in a motor vehicle includes, in one embodiment, at least onecontrol arrangement, which receives at least one control signal. Thecontrol arrangement generates a trigger signal as a function of thecontrol signal, in order to trigger a switching element. An emergencyoperating arrangement is provided, which, during an emergency operation,bypasses the control arrangement and generates the trigger signal as afunction of at least the one control signal. A testing arrangement ofthe present invention checks the operativeness of the emergencyoperating arrangement by deliberately triggering them. The device of thepresent invention allows the operativeness of the involved components ofa reliable signal generation system to be checked constantly. Defectiveoperating states of the emergency operating arrangement are reliablydetected and may be displayed to the user, in order, for example, tofind a garage and repair the defect.

In an advantageous further embodiment, the emergency operatingarrangement is activated for a specifiable time span. As a rule, thisshort time span is sufficient for detecting a fault of the emergencyoperating arrangement from incoming check-back signals. A check-backsignal appearing within this time span is compared to the nominal statethat corresponds to the control signal. In the event of deviations, afault is inferred.

The emergency operating arrangement may be activated by an edge change.If the emergency operating arrangement is functional, then the desiredfunction may already be activated at this time by the control signal.After the specifiable time span has elapsed, the control arrangementtakes over the further triggering of the switching element. For theuser, this means unnoticeable test routines, which are executed witheach occurrence or edge change of a control signal. Even if theemergency operating arrangement is defective, the user does not noticepossible delays in the activation or deactivation of the desiredfunction, since the specifiable time span may be selected to beappropriately short.

According to a further embodiment, the signals “ignition”, “start”, “lowbeam”, and “parking light” are provided as examples of control signalsand can be of high safety relevance to operationally reliable use of amotor vehicle.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a first exemplary embodiment of the devicefor reliably generating signals according to the present invention.

FIG. 2 shows exemplary signal patterns produced by the device forreliably generating signals according to FIG. 1.

FIG. 3 is a block diagram of a second exemplary embodiment of the devicefor reliably generating signals according to the present invention.

FIG. 4 shows exemplary signal patterns produced by the device forreliably generating signals according to FIG. 3.

FIG. 5 is a block diagram of a third exemplary embodiment of the devicefor reliably generating signals according to the present invention.

FIG. 6 shows exemplary signal patterns produced by the device forreliably generating signals according to FIG. 5.

DETAILED DESCRIPTION

As shown in FIG. 1, a low-beam control signal 24 and a parking-lightcontrol signal 26 are supplied to a first microcontroller 10. Low-beamcontrol signal 24 reaches a switching element 14 via a firstemergency-operation path 28, and parking-light control signal 26 reachesthe switching element via a second emergency-operation path 30. In theclosed state, switching element 14 transmits low-beam control signal 24and parking-light control signal 26 as low-beam output signal 25 andparking-light output signal 27, respectively, to a first driver 16 and asecond driver 18, respectively, in order to trigger them. Firstmicrocontroller 10 communicates with a second microcontroller 12, whichprovides an emergency-operation activating signal 32 for triggeringswitching element 14. First microcontroller 10 generates a low-beamoutput signal 25 as a function of low-beam control signal 24, thelow-beam output signal being logically combined by diodes 23, in an ORoperation, with the corresponding output signal of switching element 14.In the same manner, first microcontroller 10 may generate aparking-light output signal 27, which is likewise combined with thecorresponding output signal of switching element 14, in an OR operation.Low-beam output signal 25 and parking-light output signal 27 are triggersignals for first driver 16 and second driver 18, respectively, by whichdimmed headlight beam 20 and parking light 22, respectively, aresupplied with electrical energy. Drivers 16, 18 sense the output currentflowing through loads 20, 22, respectively, and signal it back to firstmicrocontroller 10 as check-back signal 17 of first driver 16 andcheck-back signal 19 of second driver 18.

FIG. 2 shows possible signal patterns, which may occur in the exemplaryembodiment according to FIG. 1. At time t₀, parking-light control signal26 changes its state from logical zero to logical one. This eventtriggers emergency-operation activating signal 32, which assumes thestate of logical one between times t₀ and t₁. If there is a fault insecond emergency operating path 30, then check-back signal 19 indicatingthe state of parking light 22 first changes its logical state from zeroto one at time t₁. However, if second emergency operating path 30 isfunctional, then parking light 22 is already activated at time t₀, whichis recognizable from check-back signal 19 of second driver 18(represented by a dotted line). At time t₂, the user activates thedimmed headlight, which is indicated by a signal change of low-beamcontrol signal 24 from logical zero to logical one. At time t₂, thisevent generates an emergency-operation activating signal 32 of logicalone, which lasts for a predefined time span until time t₃. If firstemergency operating path 28 is working, then check-back signal 17 offirst driver 16 already changes its state from logical zero to logicalone at time t₂, but in the case of a fault, it does not change its stateuntil time t₃. The user deactivates the dimmed headlight at time t₄.Thus, the state of check-back signal 17 of first driver 16 also changesat time t₄. At time t₅, the switching-off of the parking light(parking-light control signal 26 changes from the state of logical oneto logical zero) causes parking light 22 to turn off, which isrecognizable by an edge change of check-back signal 19 of second driver18.

In the exemplary embodiment according to FIG. 3, the user may controlstates of an ignition-control signal 34 (terminal 15) and astart-control signal 36 (terminal 50), using an ignition and startingswitch 38. These signals are transmitted to both a steering-columnswitch module 40 and first microcontroller 10. First microcontroller 10exchanges signals with a second microcontroller 12, which in turngenerates a second emergency-operation activating signal 65 as an inputquantity for an OR gate 50. OR gate 50 additionally receives a firstemergency-operation activating signal 64 generated by firstmicrocontroller 10, as a further input quantity. The output signal of ORgate 50 triggers first, second, and third two-way switches 67, 68, and69. No emergency operation is activated in the switch position oftwo-way switches 67 through 69 shown in FIG. 3, so that two-way switches67 through 69 directly transmit the output signals of firstmicrocontroller 10, starting signal 71, starting-relief signal 72, andignition signal 73 to a first, second, and third relay driver 52, 53,54. First relay driver 52 activates or deactivates the control input ofa first relay 56, by which the terminal-50 (starter) may be activated.Second relay driver 53 controls second relay 57, which brings about thestarting relief (disconnection of loads not necessary for the startingoperation) (terminal 75). If the emergency operation path is notactivated, i.e. if third two-way switch 69 is in the state shown, thenignition signal 73 generated by first microcontroller 10 is transmitteddirectly to third relay driver 54, by which a third relay 58 foroperating the ignition may be activated. A starting check-back signal 60records the state of first relay 56, ignition check-back signal 61records the state of third relay 58, and a starting-relief check-backsignal 62 records the state of second relay 57, each of these signalsbeing supplied to first microcontroller 10 as input signals.Ignition-control signal 34 now bypasses first microcontroller 10 and istransmitted to third two-way switch 69. If the emergency operation isactivated, then two-way switch 69 changes its state shown in FIG. 3 andnow causes ignition-control signal 34 to bypass microcontroller 10 andrelays it for the control of third relay driver 54. In turn,starting-control signal 36 bypasses first microcontroller 10 and arrivesat first two-way switch 67, which directly controls first relay driver52 with the aid of starting-control signal 36, in response to theemergency operation being activated by the output signal of OR gate 50.Ignition-control signal 34 and negated starting-control signal 36 arecombined by an AND gate 48 and form a starting-relief signal, which, inthe case of the emergency-operation setting of second two-way switch 68,reaches second relay driver 53 for tripping second relay 57. Firstmicrocontroller 10 exchanges data with a watchdog 46, as well as with abus system 42 via a bus interface 44. There is also a data connectionbetween steering-column switch 40 and bus system 42.

FIG. 4 shows signal patterns that may possibly occur in the exemplaryembodiment according to FIG. 3. At time t₀, the user moves ignition andstarting switch 38 into the position “ignition on”, which is indicatedby a signal change of ignition-control signal 34 from logical zero tological one. At time t₂, the user would like to start the vehicle andmoves ignition and starting switch 38 into the position “start”, so thatstarting-control signal 36 changes from the state of logical zero to thestate of logical one. At time t₆, this state changes again, in that theuser lets go of ignition and starting switch 38 (terminal 15 stays on).Starting-relief signal 72 generated by first microcontroller 10 resultsfrom the AND combination of ignition-control signal 34 with invertedstarting-control signal 36. Therefore, at time t₀, starting-reliefsignal 72 changes from the state of logical zero to logical one, inorder to again assume the state of logical zero at time t₂(switching-off of the unneeded load circuits for starting relief), up totime t₆. When ignition-control signal 34 is switched off at time t₇,starting-relief signal 72 also changes from the state of logical one tological zero. When a rising edge of ignition-control signal 34 occurs attime t₀, first microcontroller 10 generates first emergency-operationactivating signal 64 until time t₁. At time t₃, first microcontroller 10deactivates first emergency-operation activating signal 64. With theswitching-off of ignition-control signal 34, second emergency-operationactivating signal 65 is set to logical one at time t₇, until time t₈, inorder to also test the performance reliability of activating theemergency-operation path with the aid of second microcontroller 12. Inthe case of proper emergency operation, starting-relief check-backsignal 62 may already assume the state of logical one at time t₀.However, if starting-relief check-back signal 62 only changes its statefrom logical zero to logical one at time t₁, then one may deduce thatthe emergency-operation path is defective. If second microcontroller 12controls the emergency-operation path correctly, then starting-reliefcheck-back signal 62 retains the state of logical one from time t₆ totime t₇. However, if a defect occurs when the emergency-operation pathis activated by second microcontroller 12, then starting-reliefcheck-back signal 62 only changes from the state of logical one tological zero at time t₈. When the emergency-operation path by firstmicrocontroller 10 is functioning, starting check-back signal 60 changesits state from logical zero to logical one at time t₃ at the earliest.In the event of defective emergency-operating path triggering by firstmicrocontroller 10, the positive edge of starting check-back signal 60first occurs at time t₄. At time t₅, starting check-back signal 60changes state from logical one to logical zero. When theemergency-operation control by first microcontroller 10 is functioning,ignition check-back signal 61 assumes the state of logical one at timet₀, but assumes the state of logical one at a time t₁ in the event ofdefective emergency-operation control. If the emergency-operationactivation by second microcontroller 12 functions correctly, thenignition check-back signal 61 already changes its state from logical oneto logical zero at time t₇, but when the emergency-operation path isdefective, then it changes its state from logical one to logical zero attime t₈. The delay between terminal 75/terminal 50 (times t₂, t₃; t₅,t₆) does not have any influence on the testing of theemergency-operation paths. The delay may also be set to zero, usingsoftware.

As an addition to FIG. 1, the third exemplary embodiment according toFIG. 5 provides for an automatic driving-light control signal 81 beingtransmitted to first microcontroller 10, as well as being transmitted toswitching element 14, in an OR operation, with low-beam control signal24. An emergency-operation diode 87 is situated between the outputs ofswitching element 14. This does not have any influence on the testing ofthe emergency-operation paths, but causes parking light 22 to beswitched on during emergency operation, when the dimmed headlight or theautomatic driving-light function is activated.

The signal pattern according to FIG. 6 is described below. An automaticdriving-light signal 81 is fed to first microcontroller 10 in the samemanner as a light-sensor signal 82. This outputs an output signal 25 forcontrolling a driver 16 of dimmed headlight 20. During the testing ofthe emergency-operation path, first microcontroller 10 recognizes thatthe rotary light switch is on at position AFL, and that the light-sensorsignal is activated. The emergency-operation path is then activated bysecond microcontroller 12, initiated by first microcontroller 10. In theactual emergency operation, i.e. not in the test case, it is sufficientwhen the rotary light switch is at the AFL setting, in order to activateemergency light operation. First microcontroller 10 exchanges data withsecond microcontroller 12, which assumes the control of the two-wayswitch for activating the emergency operation. Emergency-operationactivating signal 84 for testing the emergency-operation path is thenactivated (state of logical one), when the signal resulting from logicalAND operation of driving-light signal 81 and light-sensor signal 82 hasa positive edge. The lower headlight beam is only then switched on. Whenthe emergency-operation path is operating properly in response to beingactivated by second microcontroller 12, low-beam, check-back signal 85likewise supplied to first microcontroller 10 for error evaluation wouldalready change from the state of logical zero to logical one at time t₀.If the triggering of the emergency-operation path by secondmicrocontroller 12 is not successful (defective emergency-operationpath), then the signal change first occurs at time t₁. Theemergency-operation path is also reactivated at time t₂ till time t₃.When the emergency-operation path functions correctly, the check-backsignal of dimmed headlight 85 would already change state at time t₂,but, in the event of defective operation, it would not change stateuntil time t₃.

In the exemplary embodiment according to FIG. 1, first microcontroller10 assumes the software-controlled triggering of driver 16, 18 as afunction of the state of low-beam control signal 24 and parking-lightcontrol signal 26. In order to further ensure the control of drivers 16,18 in the case of a fault of first microcontroller 10,emergency-operation paths 28, 30 are provided, which bypassmicrocontroller 10 and directly combine control signals 24, 26, ascontrol signals for drivers 16, 18, with the output signals of firstmicrocontroller 10, using OR network 21. However, this direct controlwith the bypassing of microcontroller 10 only occurs when switchingelement 14 is in the closed state. The corresponding triggering ofswitching element 14 is assumed by second microcontroller 12 with theaid of emergency-operation activating signal 32. Second microcontroller12 monitors the operativeness of first microcontroller 10 and, in thecase of a fault, drives switching element 14 in the closing direction,in order to activate emergency-operation paths 28, 30. Therefore, inspite of a fault of first microcontroller 10, proper operation continuesto be possible during normal operation.

In order to now check the operativeness of emergency-operation paths 28,30, first microcontroller 10 initiates the triggering of drivers 16, 18for the time span of t₀ to t₁, via emergency-operation paths 28, 30(using second microcontroller 12 and emergency-operation activatingsignal 32). However, after time t₁, the control is accomplishedregularly by directly supplying trigger signals 25, 27 with the aid offirst microcontroller 10. In this connection, switching element 14 isdriven in the direction of opening (deactivation of emergency-operationpaths 28, 30).

The functioning method of the emergency-operation check test isdescribed in detail, using the signal pattern according to FIG. 2. Attime t₀, the user operates the parking light, so that parking-lightcontrol signal 26 changes from the state of logical zero to logical one.This rising edge triggers the activation of the emergency-operationmonitoring function in first microcontroller 10, which acts as theemergency-operation monitoring arrangement. At time t₀, firstmicrocontroller 10 still does not output a signal corresponding toparking-light control signal 26, but rather activates theemergency-operation function via second microcontroller 12. As a result,second microcontroller 12 generates an emergency-operation activatingsignal 32, by which switching element 14 is closed in such a manner,that parking-light control signal 26 bypasses microcontroller 10 andarrives at the input of second driver 18. Field-effect transistors areused, for example, as drivers 16, 18, the field-effect transistorsadditionally generating signals proportional to the output current, inthe form of check-back signals 17, 19. First microcontroller 10 subjectscheck-back signal 19 to an analog-digital conversion and compares theincoming value to a specifiable threshold value. If this threshold valueis exceeded, then microcontroller 10 concludes that parking light 22 isbeing activated. Microcontroller 10 evaluates check-back signal 19within the time span t₀ to t₁ and compares the signaled state of parkinglight 22 to the nominal state, as is determined by incomingparking-light control signal 26. As of time t₀, parking light 22 shouldbe triggered in the direction of activation. If check-back signal 19signals this state, then microcontroller 10 concludes that secondemergency-operation path 30 is operating properly. However, ifcheck-back signal 19 indicates that parking light 22 is not activated,then the nominal state deviates from the actual state. It is concludedthat second emergency-operation path 30 has a fault. Firstmicrocontroller 10 creates a corresponding entry in the fault-storagemeans. In addition, this fault may be displayed by a data-bus system notshown, in order to point out to a user that he or she should drive tothe next garage. However, second microcontroller 12 generates anemergency-operation activating signal 32 for a specifiable, short timespan, i.e. from time t₀ to time t₁. As of this time t₁ known to firstmicrocontroller 10, it now assumes the control of second driver 18 byoutputting the corresponding state of parking-light control signal 26.However, emergency-operation path 30 is now interrupted again, so thatparking-light control signal 26 no longer controls second driver 18directly by bypassing microcontroller 10. When a rising edge of low-beamcontrol signal 24 occurs at time t₂, the operativeness of firstemergency-operation path 28 is now tested. The procedure is analogous tothat described in connection with the parking-light emergency-operationpath, while check-back signal 17 of first driver 16 is evaluated.

In the exemplary embodiment according to FIG. 3, both firstmicrocontroller 10 and second microcontroller 12 may take over theactivation of the emergency-operation paths. Therefore, these twoactivation options are also tested. Since ignition-control signal 34 andstarting-control signal 36 are signals that are particularly relevantwith regard to safety, it is also provided that the emergency-operationpaths be tested in the case of input signals of both logical zero andlogical one. In response to the occurrence of a positive-going edge ofignition-control signal 34, first microcontroller 10 directly activatesthe emergency-operation function itself, in that firstemergency-operation activating signal 64 assumes the state of logicalone at time t₀, and therefore, the output signal of OR gate 50correspondingly does so also. Two-way switches 67, 68, 69 are therebytriggered in such a manner, that ignition-control signal 34 andstarting-control signal 36 bypass first microcontroller 10 and traveldirectly to drivers 52, 54. In order to detect a possible faultcondition of the emergency-operation path, starting check-back signal60, ignition check-back signal 61, and starting-relief check-back signal62 are each fed back to first microcontroller 10 via an analog-digitalinput. Ignition check-back signal 61 is now evaluated between times t₀and t₁, with a view to whether this actual signal matches the nominalstate specified by ignition-control signal 34. If this is the case, thenmicrocontroller 10 concludes that the emergency-operation path functionscorrectly with respect to the ignition signal. In the event of adeviation from the nominal state and actual state (in the case of afault of the emergency-operation path), first microcontroller 10 createsan entry in the fault-storage means. In addition, an error message istransmitted via interface 44 to bus system 42, in order to thus bedisplayed. Now, in order to also test for the correct functioning of theemergency-operation path during the control by second microcontroller12, first microcontroller 10 reactivates the emergency-operationfunction from time t₇ to time t₈, using second microcontroller 12, inresponse to a decreasing edge of ignition-control signal 34. If ignitionrelay 58 is activated in spite of the control being deactivated, thenmicrocontroller 10 concludes that a fault is present in theemergency-operation path. In this case, the emergency-operatingarrangement is switched by second microcontroller 12.

Starting-control signal 36 has a rising edge at time t₂. Terminal75/terminal 50 signals 62, 60 are delayed between times t₂ and t₃. Theterminal 50/75 and terminal 75/50 delays have no influence on thetesting of the emergency-operation paths. These delays are merely usedto generate a very short (e.g. 10 ms) delay time between terminal 50 andterminal 75. This delay time ensures that terminal 50 is only switchedon when terminal 75 has already switched off. This time may also be setto zero, using software. The emergency-operation paths are not testedduring this time. The tests of the emergency-operation paths at logicalzero are accomplished concurrently: e.g., between t₀ and t₁, terminal 15is tested at logical one, terminal 50 is tested at logical zero, andterminal 75 is tested at logical one. At time t₃, first microcontroller10 now activates the emergency-operation function, in order to transmitstarting-control signal 36 directly to first relay driver 52, whilebypassing first microcontroller 10. If the actual state portrayed bystarting check-back signal 60 matches the nominal signal provided bystarting-control signal 36, then first microcontroller 10 recognizesthat the emergency-operation path is operating properly. In the event ofdeviations, a fault is inferred.

The emergency-operation path for the starting relief is also tested,using an analogous procedure.

A corresponding evaluation is also to be applied analogously to thesignal pattern according to FIG. 6. The emergency-operation paths offurther, safety-related functions may also be tested in the describedmanner.

The described device is particularly suitable for use in a motorvehicle.

1. A device for reliably generating a signal in a motor vehicle,comprising: at least one switching element; at least one first controlarrangement which is supplied at least one control signal, the at leastone first control arrangement generating at least one trigger signal asa function of the at least one control signal in order to trigger the atleast one switching element; an emergency-operating arrangement, which,in an emergency operation, generates the at least one trigger signal asa function of the at least one control signal; and a testing arrangementwhich tests an operativeness of the emergency-operating arrangement byselective triggering the emergency operating arrangement, wherein theemergency-operating arrangement is one of activated and deactivated inresponse to an edge change of the at least one control signal, whereinthe emergency-operating arrangement is one of first activated and firstdeactivated for a specifiable time span after a defined time span haselapsed with respect to the edge change of the at least one controlsignal.
 2. A device for reliably generating a signal in a motor vehicle,comprising: at least one switching element; at least one first controlarrangement which is supplied at least one control signal, the at leastone first control arrangement generating at least one trigger signal asa function of the at least one control signal in order to trigger the atleast one switching element; an emergency-operating arrangement, which,in an emergency operation, generates the at least one trigger signal asa function of the at least one control signal; and a testing arrangementwhich tests an operativeness of the emergency-operating arrangement byselective triggering the emergency operating arrangement, wherein theemergency-operating arrangement includes at least one two-way switch forrelaying one of an output signal of the control arrangement and the atleast one control signal.
 3. A device for reliably generating a signalin a motor vehicle, comprising: at least one switching element; at leastone first control arrangement which is supplied at least one controlsignal, the at least one first control arrangement generating at leastone trigger signal as a function of the at least one control signal inorder to trigger the at least one switching element; anemergency-operating arrangement, which, in an emergency operation,generates the at least one trigger signal as a function of the at leastone control signal; and a testing arrangement which tests anoperativeness of the emergency-operating arrangement by selectivetriggering the emergency operating arrangement, wherein a fault of theemergency-operating arrangement is detected using at least onecheck-back signal, and wherein a measure of a current controlled by theat least one switching element is used as the at least one check-backsignal.
 4. A device for reliably generating a signal in a motor vehicle,comprising: at least one switching element; at least one first controlarrangement which is supplied at least one control signal, the at leastone first control arrangement generating at least one trigger signal asa function of the at least one control signal in order to trigger the atleast one switching element; an emergency-operating arrangement, which,in an emergency operation, generates the at least one trigger signal asa function of the at least one control signal; and a testing arrangementwhich tests an operativeness of the emergency-operating arrangement byselective triggering the emergency operating arrangement, wherein afault of the emergency-operating arrangement is detected using at leastone check-back signal, and wherein, in order to detect a fault of theemergency-operating arrangement, the testing arrangement compares anominal state specified by the at least one control signal to an actualstate derived with the aid of the at least one check-back signal.
 5. Adevice for reliably generating a signal in a motor vehicle, comprising:at least one switching element; at least one first control arrangementwhich is supplied at least one control signal, the at least one firstcontrol arrangement generating at least one trigger signal as a functionof the at least one control signal in order to trigger the at least oneswitching element; an emergency-operating arrangement, which, in anemergency operation, generates the at least one trigger signal as afunction of the at least one control signal; and a testing arrangementwhich tests an operativeness of the emergency-operating arrangement byselectively triggering the emergency operating arrangement, wherein theemergency-operating arrangement is one of first activated and firstdeactivated for a specifiable time span after a defined time span haselapsed with respect to an edge change of the at least one controlsignal.